Security checking done in AOR with LU6.2
Security checking is different depending on how SECURITYNAME is specified in the AOR and TOR.
The link userid referred to in Table 1 and Table 2 is the one specified in the SECURITYNAME on the CONNECTION resource definition, or the USERID on the SESSION resource definition.
If a USERID is specified on the SESSIONS definition, and a link check is done, the userid used is the one on the SESSIONS definition.
If no userid is specified in SECURITYNAME, then the default userid
of the AOR is used instead. However, if the SECURITYNAME userid is
the same as the region userid for the AOR, then the link is deemed
to have the same security as the AOR, and link security is omitted
altogether. The effect of omitted link security depends on whether
LOCAL or non-LOCAL attach security is specified for the link:
- For LOCAL attach security, the security specified in the USERID on the SESSIONS definition is used. If this too is omitted, then the default userid for the AOR is used.
- For non-LOCAL attach security, the security specified in the USERID on the sessions definition is not used. Only the userid received from the TOR is used to determine security.
Note: Neither the region userid for the TOR, nor the SECURITYNAME
in the TOR's CONNECTION definition for the AOR, is relevant to security
checking in the AOR.
Table 1 shows how checking is done when ATTACHSEC(LOCAL) is specified.
Region userid for AOR | SECURITYNAME in connection definition | USERID in SESSION definition | Checking in AOR |
---|---|---|---|
USERIDA | Not specified | Not specified | Check against AOR DFLTUSER |
USERIDA | Not specified | USERIDA | Check against AOR DFLTUSER |
USERIDA | Not specified | USERIDB | Check against USERIDB |
USERIDA | USERIDA | Not specified | Check against AOR DFLTUSER |
USERIDA | USERIDB | Not specified | Check against USERIDB |
USERIDA | USERIDA | USERIDA | Check against AOR DFLTUSER |
USERIDA | USERIDA | USERIDB | Check against USERIDB |
USERIDA | USERIDB | USERIDA | Check against DFLTUSER |
USERIDA | USERIDB | USERIDB | Check against USERIDB |
USERIDA | USERIDB | USERIDC | Check against USERIDC |
Table 2 shows how checking is done when the ATTACHSEC parameter IDENTIFY (or PERSISTENT, or MIXIDPE) has been specified.
Region userid for AOR | SECURITYNAME in connection definition | USERID in SESSION definition | Checking in AOR |
---|---|---|---|
USERIDA | Not specified | Not specified | Transmitted userid and AOR DFLTUSER |
USERIDA | Not specified | USERIDA | Transmitted userid only |
USERIDA | Not specified | USERIDB | Transmitted userid and USERIDB |
USERIDA | USERIDA | Not specified | Transmitted userid only |
USERIDA | USERIDA | USERIDA | Transmitted userid only |
USERIDA | USERIDA | USERIDB | Transmitted userid and USERIDB |
USERIDA | USERIDB | Not specified | Transmitted userid and USERIDB |
USERIDA | USERIDB | USERIDC | Transmitted userid and USERIDC |